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Abstract 

It is shown that the interactive error correction protocol 'CASCADE' should be 
analyzed taking the correlation between passes and finite length of sequence into 
account. Furthermore we mention some problems in quantifying the reduction of 
Renyi entropy by information announced during the error correction process. 

1 Introduction 

The CASCADE protocol for error correction was studied by Brassard and Salvail [1] who 
gave asymptotic estimates of its success probability and the number of information bits 
leaked during protocol execution. In a practical implementation of CASCADE, with a 
fixed number of passes and a finite length sequence, we show that calculation of the success 
probability and number of information bits leaked are very involved problems which have 
not been properly addressed so far. Even the estimates in pQ are made under what may 
be called an 'independent pass' approximation because the correlation between operations 
taking place at different passes of the protocol has been neglected. On the implementation 
side, we study practically important parameters such as the communication complexity 
and the round-trip delay time of CASCADE. 

For cryptographic purposes, in both classical and quantum protocols, one is interested 
in the Renyi information leakage from public discussion during the error correction pro- 
cess. This is because the standard privacy amplification theorem [2] requires the Renyi 
entropy before privacy amplification to be known. Such estimates of Renyi entropy re- 
duction, especially for the case of identical individual attacks by Eve, have been studied 
by Cachin and Maurer [3] , who claimed to show that for linear error- correcting codes, the 
Renyi entropy reduction is roughly equal to the number of announced bits. We explain 



why this claim is incorrect. However, we suggest that covering the announced bits with 
a pre-shared secret key would result in no Renyi entropy reduction and can be used as 
long as the net key generation rate remains positive. For CASCADE, for which the Renyi 
entropy reduction has not been studied, we suggest a similar procedure. In doing so, we 
find that, unlike the case of linear error-correcting codes, there is still an entropy reduction 
that is difficult to quantify. 

2 CASCADE PROTOCOL 

2.1 'Independent Pass' and 'Infinite- length Sequence' Approxi- 
mation 

The CASCADE protocol proceeds in several passes in which block-parity conparison and 
binary-search-type error correction are executed. CASCADE uses correlation between the 
sequences of passes, so that it performs better as to the number of announced bits during 
the error correction process than the BBBSS protocolpfj which is also based on parity 
check and binary search, but does not use the correlation of sequences. Upper bounds on 
the number of announced bits were derived in pQ. The number of announced bits seems 
to depend heavily on error patterns and permutation functions used to produce sequences 
of all passes. Furthermore the process is nonlinear. Therefore, the expected value should 
be obtained by averaging the number of announced bits of all specific error patters and 
permutation functions. However, the upper bound on the number of announced bits 
was derived by calculating expected amount of announced bits pass by pass. That is, the 
correlation of sequences was not considered. We performed computer simulation 1,000,000 
times to analyze the performance of CASCADE. The number of announced bits during 
the error correction process obtained by the computer simulation is shown in Tabffl The 
upper bound derived in pQ is also shown in the bracket. It is found that the upper 
bound is very close to the simulation brackets. In the case that the private channel error 
probability e is 0.05 and 0.1, the simulation results are larger than the upper bound. This 
indicates that a nonrigorous method was used to derive the upper bound. 

In pQ, the size of a block for each pass was designed so that the number of errors 
contained in a block of the initial pass reduces to less than half as passes proceed. However, 
the success probability was discussed in pQ on the basis of 100 empirical tests in which 
all errors were corrected at the end of the protocol. Analysis of the success probability is 
very complicated. Only a slight difference of error positions may determine whether the 
protocol succeeds or fails. We have not derived the probability that CASCASE protocol 
succeeds. In this situation, the results of a large number of computer simulations may help 
us to understand its properties. The protocol failure probability obtained by averaging 
the results of 1,000,000 computer simulation is shown in Tabj2j It is found that the 
protocol failure probability reduces as the sequence length becomes longer. Furthermore 
it is found that the failure probability decreases as the error probability of the private 
channel increases. According to our computer simulation, we found that the average 
number of errors remaining after pass 2 is almost the same in the range from 0.3 to 0.37. 
As the error probability of the private channel decreases, block sizes become longer and 



the number of blocks decreases, so that the probability that two or more of the remaining 
errors move to the same block in the next pass becomes large. Then, the protocol failure 
probability increases. From this result, the protocol failure probability should be analysed 
for sequences with finite length and asymptotic limits are not reliable. 



Table 1: Number of Announced Bits during Error Correction 



n 


e = 0.01 


0.05 


0.1 


0.15 


100 


13.43(9.33) 


35.37(33.14) 


59.3(57) 


77.56(82.4) 


200 


20.64(18.66) 


69.3(66.29) 


117.39(114) 


153.86(164.8) 


500 


45.93(46.64) 


170.12(165.71) 


288.67(285) 


384.76(412) 


1000 


90.99(93.29) 


339.01(331.43) 


576.53(570) 


768.19(824) 


2000 


182.16(186.58) 


677.25(662.86) 


1151.7(1140) 


1536.02(1648) 


5000 


454.38(466.44) 


1692.09(1657.14) 


2878.41(2850) 


3839.52(4120) 


10000 


906.18(932.88) 


3382.11(3314.29) 


5753.93(5700) 


7678.68(8240) 


e: error probabi 


ity of private channel, n: sequence length. 



The upper bound [lj is given in parentheses. 



Table 2: Protocol Failure Probability of CASCADE 



e 


n=100 


200 


500 


1000 


2000 


5000 


10000 


0.01 


0.023603 


0.056623 


0.078354 


0.044117 


0.011357 


0.002677 


0.001005 


0.05 


0.072621 


0.038288 


0.005492 


0.001657 


0.000355 


0.000075 


0.000066 


0.1 


0.032161 


0.009446 


0.001129 


0.000349 


0.000119 


0.000009 


0.000011 


0.15 


0.016245 


0.006394 


0.000415 


0.000158 


0.000039 





0.00001 



e: error probabi 



ity of private channel, n: sequence length. 



2.2 Communication Complexity 

For interactive error correction like CASCADE, a round-trip is necessary for comparing 
block and sub-block parities. From a practical viewpoint, time for the round-trips should 
be considered in evaluating the net key generation rate. The number of round-trips is 
shown in TabJ3]for CASCADE and BBBSS protocol which does not use the correlation 
between sequences!!]. It is found in Tabj3]that the number of the round-trip increases as 
error probability of the private channel becomes large and the sequence length becomes 
longer, and it is almost proportionally to the sequence length in CASCADE, while that 
of BBBSS protocol is almost constant. The difference comes from the fact that each error 
has to be corrected one by one after pass two in CASCADE, while errors can be corrected 
simultaneously in each pass in BBBSS protocol. It is found that as sifted key generation 
rate over a private channel increases, error correction process would dominate the net key 
generation rate, especially for CASCADE. 



Table 3: Number of Round Trips 





CASCADE 


BBBSS 


n 


£0.01 


0.05 


0.1 


0.14 


0.01 


0.1 


0.1 


0.15 


500 


26.12 


58.66 


81.95 


105.21 


26.08 


36.04 


38.77 


38.57 


1000 


42.70 


107.41 


154.89 


202.34 


33.26 


44.16 


47.60 


47.56 


2000 


74.86 


205.09 


300.89 


396.46 


42.47 


54.17 


57.87 


57.17 


5000 


170.21 


498.91 


739.75 


979.01 


56.20 


68.58 


72.29 


71.17 


10000 


329.23 


987.53 


1470.49 


1949.51 


67.42 


80.14 


82.73 


82.27 



3 REDUCTION OF RENYI ENTROPY BY ERROR 
CORRECTION 

The amount of information leaked during the error correction process would reduce Eve's 
Renyi entropy about the legitimate users' sequence. The precise estimation of the amount 
of this reduction is very important for evaluating the key generation rate. It was shown 
in Th. 9 of [3J that in the case where the raw key is generated by many independent 
repetitions of a random experiment, each bit leaked during the error correction process 
reduces Eve's Renyi entropy by only about one. The properties of the so-called e-strongly 
typical sequences defined below are used to prove this result. 

Definition 1 (e-strongly typical set[3j) Let X be a random variable distributed ac- 
cording to Px over some finite set X where it is assumed that Px( x ) > for all x EX. 
Let x n = [x\, ...,£„] be a sequence of n digits of X and define N a (x n ) to be the number of 
occurrences of the symbol a EX in the sequence x n . A sequence x n EX n is called e-strongly 
typical if and only if (1 — e)Px(a) < Na<y ^ - < (1 + e)Px(a) for all a EX. 

It was claimed that the occurrence probability of each sequence in the e-strongly 
typical set is asymptotically identical, and this property was used to prove Th. 9 in 
[3j. This claim is wrong, however - the ratio of the maximum occurrence probability of 
a sequence in the e-strongly typical set to the minimum one increases as the sequence 
length becomes longer[5]. For the binary case, assuming that -Px(O) = p(< 1/2), the 
ratio is (^ £ ) 2npe . As an example, let us consider the case that n=100,000, Px(0)=0.1, 
e=0.01. The minimum occurrence probability P™,i n (x n ) = 2.52 x 10 -14214 , the maximum 
P^(x n ) = 1.78 x 10" 14023 , then the ratio Pf„ ax (x n )/P^ n (x") = 7.06 x 10 190 . In this case, 
the probability Pr [X n E S n (e)] that the sequence is in a e-strongly typical set S n (e) is 
0.711. Therefore, Th. 9 does not apply to this case. The amount of information additional 
to that predicted by Th. 9 can be obtained by Th. 6 of [3]. We find the upper bound on 
the reduction of Eve's Renyi entropy is 2485 bits more than that predicted by Th. 9. 

Next, let us consider the case that the legitimate users cover the announced bits by a 
pre-shared secret key. The covered announced bits never reduces Eve's Renyi entropy for 
error correction by non-interactive linear code. This is because the pre-shared secret key 
and the announced bits are mutually independent. Then, the reduction of the size of the 



final key by the error correction process is just as the same as the number of announced 
bits. In the case of interactive error correction, however, it is not apparent whether the 
announced bits reduce Eve's Renyi entropy or not, because interactive error correction 
reveals possible information on the positions of all errors, which could help Eve. Thus, 
it should be verified that this problem is addressed in, e.g., [Bj, where the security of 
CASCADE using the above method of covering the parity information has been studied. 
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